| From: | Sameer Kumar <sameer(dot)kumar(at)ashnik(dot)com> |
|---|---|
| To: | François Beausoleil <francois(at)teksol(dot)info> |
| Cc: | PostgreSQL General Discussion Forum <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: DB Authentication Design |
| Date: | 2014-01-13 01:27:40 |
| Message-ID: | CADp-Sm6xi0=-=CiWs7y4Z4TkHz3VWDkAWGvEWXqcE9tfPGy16Q@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 12 Jan 2014 22:31, "François Beausoleil" <francois(at)teksol(dot)info> wrote:
>
> Hi all,
>
> I'm thinking that all apps that connect to the database should have their
own user. For example, the web application process is one user, then a
report builder process should have another user, and a different process
that imports data should have his own too, and so on. Would you generally
agree with that?
>
Should be a good security design given you restrict access and ability for
each usrer. E.g. reporting user will not need update privileges, you can
have an additional application admin user who will be used for applying db
patches (only that user should have alter and create privileges).
> I'm thinking that by having different users, PGbouncer can create
different pools, and better allow me to control concurrency.
You can restrict this and also restrict other resources e.g. work_mem(
probably reportjng user will need higher than others).
Regards
Sameer
PS: Sent from my Mobile device. Pls ignore typo n abb
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2014-01-13 03:02:58 | Re: [GENERAL] pg_upgrade & tablespaces |
| Previous Message | Adrian Klaver | 2014-01-12 21:36:20 | Re: PG 924, Windows 2012, error code 487 |